Hacking the Boston Subway

Three college students from the Massachusetts Institute of Technology (MIT) were ordered on Thursday to keep quiet on how they developed the ability to hack into the Boston subway system's payment system and add hundreds of dollars to their payment cards. A federal judge issued a gag order to prevent the students from revealing the security holes they found.

The Associated Press described the situation in detail in weekend newspapers, but this story was overshadowed by the Olympics. Here's an excerpt:

The basic details of the vulnerabilities in the Massachusetts Bay Transportation Authority's two primary payment cards -- CharlieCard and CharlieTicket -- are already floating around the Internet.

Those details were released prior to the students' planned talk last weekend at the DefCon hacker conference in Las Vegas. Electronic copies of the students' 87-slide presentation were included on CDs handed out to conference attendees before the conference officially began and before the transit agency filed its lawsuit. The MBTA sued the students and won a restraining order after the agency said it needed time to fix the problems. The students and conference organizers then canceled the talk. 

Another hearing is scheduled for Tuesday to decide if the students can release parts of their findings.

Meanwhile Internet blogs are full of commentary (both pro and con) regarding freedom of speech and whether the students should have revealed their hacking techniques. PC World started blogging on this topic last Weds.

Here's part of what they are writing: The complication comes down to one basic question: Should the students have given their full presentation to the MBTA in advance? The MBTA, for its part, now tells CNET News that the group agreed to do just that -- but never did.

The students tell a different story. Responding via the Electronic Frontier Foundation, the students say they had met with the MBTA and "understood that concerns were resolved." 

More details surfaced Friday by ZDNet's Richard Koman. He states that:

The essence is that MBTA itself included the MIT student's confidential report (PDF) to MBTA on their security weaknesses as an exhibit in their complaint and it is now a public document.

The students identify the problems:

• Value is stored on card not in a central database
• Anyone with a card can read and write to it
• No crypto signature algorithm
• No centralized card verification   

There will be plenty more blogs and opinions on this topic floating around cyberspace in the coming days and weeks. I find the debate raging over "free speech" to be somewhat off track. Rather, what about a discussion on the the ethics and morality of these students revealing ways to steal or hack into critical infrastructure. Whether or not we have the constitutional right to say (or write) something is only a part of the question.  We have the legal right to do many things that aren't wise. In this case, their actions may or may not be against the law (if they didn't actually steal). But revealing this information at a public conference, while Boston officials were not pleased or content, seems wrong to me. 

We've entered a dangerous new time as a technology industry - where it's cool to hack and find ways to break into digital systems. The new way to make a name for yourself, get noticed and have five minutes of fame is to hack into critical infrastructure.

I know the counter arguments. No doubt, many research projects can help uncover holes and help us improve security. But the actions taken by the students in this situation raise many ethical and moral questions.

This information is now all over the Internet. Many "copy-cat" young hackers are developing new ideas and similar game plans. Despite obvious security flaws in the Boston subway system, I have a hard time seeing how this trend is helping America. I do see how it helps the three students from MIT.     

What are your thoughts?